Modification or Removal of an Okta Application Sign-On Policy | Elastic Security Solution [8.13]

› ›

« Attempt to Reset MFA Factors for an Okta User Account Potential Protocol Tunneling via EarthWorm »

Modification or Removal of an Okta Application Sign-On Policyedit

Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization’s security controls.

Rule type: query

Rule indices:

filebeat-*
logs-okta*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Identity
Okta
Continuous Monitoring
SecOps
Identity and Access
Persistence

Version: 8

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guideedit

Rule queryedit

event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Modify Authentication Process
- ID: T1556
- Reference URL: https://attack.mitre.org/techniques/T1556/

« Attempt to Reset MFA Factors for an Okta User Account Potential Protocol Tunneling via EarthWorm »